[Trojan] Backdoor.agent.ba / Explorer flipt em? - Privacy en beveiliging

vrijdag 2 juli 2004 15:36

Acties:

0 Henk 'm!

Verwijderd

Topicstarter

Hai, ik heb sinds 2 weken geleden een raar probleem met mijn Windows XP Home editie. Zodra de computer langer als 2 uur aanstaat word hij vreselijk sloom.

Als ik dan in taakbeheer kijk zie ik dat mijn geheugen op 1110 mb staat! ( Ik heb maar 768 mb)
Ook zie ik dit;

http://members.lycos.nl/williamberkhout3/virus.JPG

Erg vervelend als de explorer zoveel geheugen vreet.

Ik heb online virusscanners gedraaid zoals avg panda etc. Bij avg kwam daaruit dat ik een virus had in de file DG3D.dll, ik dus zoeken in windows folder.. Maar.. er staat dus helemaal geen file die zo heet!

Wat ik al gedaan heb;

-Online virusscanners gedraaid
-Googlen op computing.com etc
-Hier met de search niets gevonden
-Alle spyware verwijderd

En alsnog krijg ik pop-ups en last van een trage PC die soms uit het niets standbye gaat.

Hijackthis geeft dit;

Logfile of HijackThis v1.97.7
Scan saved at 21:35:28, on 28-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\IP Insight\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\IP Insight\ARUpld32.exe
C:\Documents and Settings\All Users\Menu Start\Programma's\mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Berkhout\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.planet.nl/
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {793F5206-0184-4F6A-A288-FD5FDF8A534C} - C:\WINDOWS\System32\bag.dll
O2 - BHO: (no name) - {B0E78EE8-50C9-46B5-4855-6736A8E2F71F} - C:\PROGRA~1\MANAGE~1\blahroam.dll (file missing)
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [RUNDLL] c:\windows\system32\rundll32\svchost.exe
O4 - HKLM\..\Run: [svc] rundll32.exe
O4 - HKLM\..\Run: [secure] c:\windows\system32\secure\rundll32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ad Arrest] C:\Program Files\Ad Arrest IE Popup Killer\adarrest.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.planet.nl
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.../MineSweeper.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B0820D7-B624-4430-A135-7EAFBBD49165}: NameServer = 195.121.1.34 195.121.1.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B0820D7-B624-4430-A135-7EAFBBD49165}: NameServer = 195.121.1.34 195.121.1.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B0820D7-B624-4430-A135-7EAFBBD49165}: NameServer = 195.121.1.34 195.121.1.66

Ik ben nu echt ten einde raad. Please help mij.

vrijdag 2 juli 2004 15:38

Acties:

0 Henk 'm!

wildhagen

Blablabla

code:

1
2
3

O4 - HKLM\..\Run: [RUNDLL] c:\windows\system32\rundll32\svchost.exe
O4 - HKLM\..\Run: [svc] rundll32.exe
O4 - HKLM\..\Run: [secure] c:\windows\system32\secure\rundll32.exe

Alledrie uiterst verdacht. Scan ze eens met de Jotti-scan: http://virusscan.jotti.dhs.org/

Deze entries kunnen gewoon weg:

code:

R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {793F5206-0184-4F6A-A288-FD5FDF8A534C} - C:\WINDOWS\System32\bag.dll
O2 - BHO: (no name) - {B0E78EE8-50C9-46B5-4855-6736A8E2F71F} - C:\PROGRA~1\MANAGE~1\blahroam.dll (file missing)
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll

Dit is spyware, kan weg:

code:

1 2	O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

[ Voor 61% gewijzigd door wildhagen op 02-07-2004 15:43 ]

Virussen? Scan ze hier!

vrijdag 2 juli 2004 15:45

Acties:

0 Henk 'm!

Verwijderd

Topicstarter

Sorry ik heb een oude hijackthis log gepost.

Logfile of HijackThis v1.97.7
Scan saved at 15:44:23, on 2-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IP Insight\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\IP Insight\ARUpld32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Berkhout\Local Settings\Temporary Internet Files\Content.IE5\0XUZ09E7\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berkhout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: load=?
F1 - win.ini: run=?
O2 - BHO: (no name) - {B9BF1816-1E96-4BBF-B70E-24D66158F474} - C:\WINDOWS\System32\bag.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B0820D7-B624-4430-A135-7EAFBBD49165}: NameServer = 195.121.1.34 195.121.1.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B0820D7-B624-4430-A135-7EAFBBD49165}: NameServer = 195.121.1.34 195.121.1.66

Dit is de goede,

Sorry wildhagen, hoop dat je nog eens tijd hier in wil steken. Alvast bedankt.

[ Voor 3% gewijzigd door Verwijderd op 02-07-2004 15:47 ]

vrijdag 2 juli 2004 15:51

Acties:

0 Henk 'm!

wildhagen

Blablabla

Geeft niet, iedereen maakt fouten

Deze entries kunnen alsnog weg:

code:

1
2
3

F1 - win.ini: load=?
F1 - win.ini: run=?
O2 - BHO: (no name) - {B9BF1816-1E96-4BBF-B70E-24D66158F474} - C:\WINDOWS\System32\bag.dll

Verder zou je voor dat sp.html gedoe dit topic eens door kunnen lezen: [rml][ IEXPLORER] Last van adware - sp.html[/rml]

Succes

Virussen? Scan ze hier!

vrijdag 2 juli 2004 22:42

Acties:

0 Henk 'm!

Verwijderd

Topicstarter

Thanks dude, ik ben je eeuwig dankbaar

woensdag 4 augustus 2004 16:19

Acties:

0 Henk 'm!

Verwijderd

Topic is al wat ouder, maar dit leek me wel een eenvoudige oplossing:

-----------------------

Remove Backdoor.agent.ba when deteced by AVG antivirus

1. use Notepad to see the file where regular explorer fails to see it.

2. remember to select view all file types

3. once you see the file in the open menu drag it to desktop

4. rename file to whatever (I renamed the infected file to "a" with no file extension)

5. reboot in to Safe mode with dos prompt

6. delete file (del

Worked for me

Infected computer: Windows XP Home Edition